Secure Your AI Before It’s Weaponized
🇦🇪 Binding

UAE Personal Data Protection Law (PDPL)

Middle East - United Arab Emirates
Summary
The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) is the UAE's first comprehensive federal data protection law. It establishes a framework for the protection of personal data and creates new obligations for entities that process personal data in the UAE, including those using AI systems.
Key Obligations
  • Obtain valid legal basis for processing personal data
  • Implement appropriate technical and organizational measures
  • Appoint a Data Protection Officer when required
  • Conduct Data Protection Impact Assessments for high-risk processing
  • Report data breaches to the UAE Data Office
  • Ensure lawful cross-border transfers of personal data
  • Respect data subject rights including access, correction, and deletion
  • Maintain records of processing activities
Enforcement
Regulator

UAE Data Office

Penalties

Administrative fines (amounts to be specified in executive regulations), potential civil liability for damages, and reputational damage.

Audit Mechanism

Regulatory inspections, data protection impact assessments, and compliance audits conducted by the UAE Data Office.

Applicable To
  • Data controllers and processors operating in the UAE
  • Organizations processing personal data of UAE residents
  • Companies with UAE operations that handle personal data
  • AI systems that process personal data of UAE residents
  • Cloud service providers storing UAE residents’ data
AI-GPM Coverage

TR  provides comprehensive coverage for UAE PDPL compliance, including data mapping tools, automated compliance assessments, data protection impact assessment automation, and breach notification workflows. Our platform helps organizations ensure their AI systems process personal data in compliance with UAE law.

Overview

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) came into effect on January 2, 2022, with a six-month grace period for organizations to achieve compliance. It is the UAE’s first comprehensive federal data protection law, establishing a framework for the protection of personal data in the UAE.

The law applies to the processing of personal data by controllers and processors in the UAE, as well as those outside the UAE who process the personal data of individuals in the UAE. It establishes rights for data subjects and obligations for data controllers and processors, with specific implications for AI systems that process personal data.